Minimizing Down-time Cut-in of Zone Based Policy Firewall

Answered Question
Sep 21st, 2008

A client has an existing router to which I need to add ZBF. The design guide below talks about the overall configuration of ZBF. But because this router is so actively used - I can't rough it in. Need to get the downtime down to about a minute.

So - to minimize outage would the order be:

1) Add classmaps,

2) Add policy maps

3) Add zones.

4) Add zone-pairs.

5) Assign interfaces to zones. ??

To "deactivate ZBF" if it doesn't go well...is the fastest way to remove all interfaces from zone membership?

Thanks.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

I have this problem too.
0 votes
Correct Answer by robertson.michael about 8 years 2 months ago

Hi Michael,

Your plan looks good to me. If possible, I would recommend both writing and testing the configuration on a non-production router first. This way, you can work out any quirks in your config and make sure everything works as expected. Once this is done, you can copy the configuration into a text editor and simply paste it into the production router during a brief maintenance window.

Also, you are correct in that the fastest way to "deactivate" ZBFW is to simply remove the interfaces' zone membership.

Hope that helps.

-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
robertson.michael Thu, 09/25/2008 - 08:46

Hi Michael,

Your plan looks good to me. If possible, I would recommend both writing and testing the configuration on a non-production router first. This way, you can work out any quirks in your config and make sure everything works as expected. Once this is done, you can copy the configuration into a text editor and simply paste it into the production router during a brief maintenance window.

Also, you are correct in that the fastest way to "deactivate" ZBFW is to simply remove the interfaces' zone membership.

Hope that helps.

-Mike

sdniel Tue, 01/27/2009 - 15:16

Mike,

If you remove the interfaces' zone membership, doesn't IOS firewall default to not passing any traffic?

abinjola Wed, 01/28/2009 - 01:59

no it doesn't..when you remove zonemembership from interfaces then ZBF is no longer effective for those interfaces, which means any policies applied to ZBF also becomes void for that interface

Actions

This Discussion